Mysterious $15,000 'GrayKey' Promises To Unlock iPhone X For The Feds

Thomas Fox-Brewster, reporting for Forbes: Just a week after Forbes reported on the claim of Israeli U.S. government manufacturer Cellebrite that it could unlock the latest Apple iPhone models, another service has emerged promising much the same. Except this time it comes from an unkown entity, an obscure American startup named Grayshift, which appears to be run by long-time U.S. intelligence agency contractors and an ex-Apple security engineer. In recent weeks, its marketing materials have been disseminated around private online police and forensics groups, offering a $15,000 iPhone unlock tool named GrayKey, which permits 300 uses. That's for the online mode that requires constant connectivity at the customer end, whilst an offline version costs $30,000. The latter comes with unlimited uses. Another ad showed Grayshift claiming to be able to unlock iPhones running iOS 10 and 11, with iOS 9 support coming soon. It also claims to work on the latest Apple hardware, up to the iPhone 8 and X models released just last year. In a post from one private Google group, handed to Forbes by a source who asked to remain anonymous, the writer indicated they'd been demoed the technology and that it had opened an iPhone X.

Let the arms race begin!

[Bruce66423]

Please pass me the popcorn...

Re:

[Anonymous Coward]

No. "Popcorn" has been removed by Apple from the AppStore.

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[tlhIngan]

GPL'ed software isn't allowed in the Apple iOS Appstore, or at least it didn't used to be, which was, (I was told,) why Firefox was for so long absent therefrom. Still waiting for LibreOffice for iPad though. :(

GPLv3 software isn't allowed in the app store because that's a violation of the GPLv3 license (anti-tivoization - since the app store keys are not revealed, it is therefore incompatible with the GPLv3).

GPLv2 software may be allowed even though doing so potentially violates the GPL (because the App St

Re:

[diamondmagic]

Correction: GPL software can be published, it's the GPL per se that doesn't allow GPLed software on app stores.

Apple couldn't care less, their developer agreement gives them a license to distribute your app, even if the GPL doesn't.

Re:

[halivar]

Wait until they hit ROT-26. I use it for all my Slashdot posts, and they're pretty much undecipherable.

Re:

[rot26]

OH NO YOU DIH UHNT

Re:

[rot26]

stereotypical-black-girl-talk? It's millenialspeak, I'm sad to say. You're not paying attention.

Re: Let the arms race begin!

[Richard Culverhouse]

Uh? Was that some obscure foreign language you just used... ?!

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[jellomizer]

Being that this service is being labeled "Mysterious". I expect they are opening up the phone, tapping into the storage media. Downloading all the data. The brute forcing it until they get in. Being most people just use a 4 digit pin. That means 9999 possible combination. If they use a password, then we have the brute force password hacking algorithms.

Such a process I would expect the 30k to be a reasonable price. Taking account opening an iPhone without breaking it, skills to tap into a soldered SD Driv

It's a software solution

[Bruce66423]

At least according to the description.

Re:

[mlyle]

The data on the phone is encrypted with much longer keys than your PIN.

Your credential is presented to the secure enclave, which ratelimits attempts and locks out on too many failures. If it is correct then it releases appropriate keys.

Re:

[sexconker]

Correct.

This is either something that makes use of a massive vulnerability in Apple's implementation, or it's the tried-and-true method of freezing/resetting the unlock attempt counter so you can brute forcing the password.

Re:

[AmiMoJo]

My guess is that they found a way to bypass the usual limits on PIN guesses somehow, allowing them to try all possibilities quickly. And it sounds like they do it entirely in software.

Maybe something like they found a way to crash the secure processor, so they can reset it before it counts the attempt as failed. Timing reveals if it is going to accept it reject the pin early.

Re:

[WorBlux]

The problem is most phones combine the pin with a device unique code from the security coprocessor.

You either need to exploit the boot-loader, or have key to sign your own boot loader with.

Re:

[Xylantiel]

And the winner is: actual security! Apple and other vendors should fix vulnerabilities like this. What, do we want the tools outlawed and security research with it? Now there is an issue if these companies are hiding the vulnerabilities from the vendor, but it's quite possible that they are problems that Apple knows about but are tricky to fix (e.g. electronic or physical design or manufacturing issues). Timing/heating/monitoring attacks can be very hard to defend against. You know if it only costs $15

Ah - the joys of capitalistic competition

[Bruce66423]

Nice point, thank you: embarrass Apple into addressing the issue.

The interesting question is whether Apple has the right to demand the basis for the attacks from the vendor.

Re:

[DontBeAMoran]

Instructions unclear, penis stuck in oppai mousepad.

We just need the galactic key

[Mysticalfruit]

We just need the galactic key to unlock it... really easy.

Pirated in 3...2...1...

[mark-t]

I don't see this as being usable on current hardware for very long.

That ex-Apple employee

[Anonymous Coward]

Could Apple go after him for undermining their current products?

Re:

[mccalli]

IMHO, should do both. I'm not normally into suing people who find ways round things, but in this case it's an ex-employee with privileged knowledge. Pour encourager les autres [merriam-webster.com].

Re: That ex-Apple employee

[nospam007]

Apple just spent 30.000$ I guess.

Re:

[BronsCon]

Judging by the placement of the dollar sign at the end of the number, I'd wager that nospam007 hails from a country where , is the decimal and . is the separator. That's actually most of the world, mind you.

Re:

[bioteq]

Or, he's a programmer who has used Basic and a lot of other languages where '$' denotes a variable of some sort.

Back in my old days of VB and QB (yeah yeah.) I got super used to putting the '$' at the end and, to this day, still do at times. As for the period vs comma? I cannot attest for that one.

Re:

[BronsCon]

My theory explains all three. Most countries in the world use the . and , in exactly the opposite manner that we do in the US, so what we would write as $1,000.00 might be $1.000,00 elsewhere. Likewise, many countries that use a comma as a radix point also put their currency mark at the end of the number. Further evidence in favor of my theory is that the non-limited version of the device being discussed sells for $30,000, not $30.00.

Of course, nospam007 would have to confirm one way or the other, but I'm

Re:

[q4Fry]

All true, but $30k is still nothing to Apple.

Re:

[bioteq]

Well, after doing the Right Thing(TM) (AKA: cyber-stalking) and slogging through his known Slashdot posts, it would seem that he rarely (but at times, does) puts the currency symbol at the end of the currency amount. He also sometimes does not use the transposed '.' and ',' but, most of the time he does, especially on amounts greater than 100k.

I did find mention of Euthanasia being legal in his country so I definitely assume you are correct, BronsCon; he's a foreigner.

I hereby concede defeat.

Re:

[BronsCon]

Funny, I did the same and came to the opposite conclusion, sort of. I ended up figuring either he was originally from the US and living abroad, or he had immigrated to the US, because he seems to follow both conventions. I didn't see the same message you saw about euthanasia or that would have been a dead giveaway. Either way, it's always fun to sharpen the old analytical skills.

DMCA?

[Rick Schumann]

LOL maybe Apple will issue a DMCA takedown notice against that company and the government for reverse-engineering iPhones.
All kidding aside Apple will I'm sure just treat this like any other exploit uncovered and change their product to prevent it. Then they'll create a new tool. Welcome to the endless game of Security Whack-a-Mole.

Re:

[mark-t]

It'll suck for the people who spent the $15k or $30k on the product, only to have it stop working not long afterwards.

I'd hopw that $15k/$30k would include upgrades for a long enough time to be worthwhile, otherwise it's a money sink.

Re:

[DontBeAMoran]

AFAIK Apple doesn't allow Bitcoin wallet apps, so your plan is foiled.

Re:

[sexconker]

Bitcoin wallets are just private keys, and people can and do store them everywhere, no app required.
Some people are even dumb enough to store them in an unencrypted form.

Re:

[Anonymous Coward]

It will be a government entity using its citizen's tax dollars to pay for it, so they won't care. Other people's money.

law enforcement use can by pass the dmca

[Joe_Dragon]

law enforcement use can by pass the dmca

Maybe app developers need to start encrypting?

[ctilsie242]

Maybe app developers should consider doing their own encryption for data stored? This could be fairly simple, depending on the persistence of the data. If the data doesn't leave the device, create two nonces, stuff one in KeyChain, have an app PIN or PW unlock the other part, XOR it for the working key. That way, the OS (which is normally secure) maintains security, but the app still has stuff secured by the separate added PIN/passphrase.

If the data has to be backed up, it could be encrypted with a nonce

That word doesn't mean what you think it does

[raymorris]

>. create two nonces, stuff one in KeyChain, have an app PIN or PW unlock the other part, XOR it for the working key. ...
> If the data has to be backed up, it could be encrypted with a nonce

The key to your whole scheme is the nonce. And you don't know what a nonce is. So I'll answer your question:
> Maybe app developers should consider doing their own encryption?

App developers should develop apps. Cryptographers, who not only know what a nonce is, but can rattle off the top three most common probl

Re:

[ctilsie242]

The perfect is the enemy of the good here.

Having one's own encryption layer is better than nothing, especially if the phone's encryption may not be secure. Yes, an app developer might have to take the time to realize using AES in ECB mode is not a good thing, but that is better than nothing.

Maybe. False sense of security is bad

[raymorris]

If you think a file is encrypted, and therefore it's safe to back it up to an open S3 bucket, it would have been much better to not make it look encrypted and make it obvious that it's not protected.

Whether weak encryption is better than none very much depends on many factors. Very often, it's "better" in the short term, but two years later someone does something that exposes the data because it looks like it's safe. They forget or never knew that the encryption isn't good encryption.

15 large for 300 uses? Sounds cheap...

[Bearhouse]

OK, 15 grand is a lot for the average individual, but for law enforcement etc. it's peanuts.
Did I not read hear about that Israeli firm charging 100 k a pop?
This is really discounting hard - 50 bucks per phone cracked, (if that's what they're doing).

15K for 300 uses

[DontBeAMoran]

Isn't that the exact same rate as the whores working at Costco?

Re:

[Stan92057]

Well, thinking like yours has gotten the US people billions in federal debit. whats a few thousand more lol...

http://www.usdebtclock.org/

Re:

[volodymyrbiryuk]

You know very well that it applies only to ordinary civilians.

Should be considered treason.

[thedarb]

This is completely against the publics own interest and should be considered treason, IMHO.

Re:

[mark-t]

Definitions mean nothing to the current governing regime.

We're talking about a government that has chosen to take "national security" to include even things that merely *might* be of signifiicant economic interest... to only one particular industry, I might add.

Re:

[amiga3D]

What's really funny is watching all these people that claim Trump is worse than Hitler, the most evil creature ever, and then they want him to confiscate all private firearms. Pure idiots.

Re:

[DontBeAMoran]

Depending on who's using them, those private firearms could maybe hold up against a few SWAT teams.

But there's a lot of SWAT teams. Then there's the army, the navy and the air force.

After that, there's all the secret organizations you don't know about, some of them probably equipped with alien weapons.

So yeah, good luck revolting against your government, your puny hand guns will surely let you defend yourself against all of those.

Re:

[rogoshen1]

Despite all the high tech weapons and whatnot, any kind of sustained operation still relies on boots on the ground. And I think you'd be surprised at how quickly the desertion rate would approach 100% if something like that came to pass -- the brainwashing of rank and file grunts is not *that* .. effective

Also, notice how hard of a time the US has had in pacifying places like Iraq or Afghanistan. It turns out large scale guerrilla-type conflicts are very hard for the US military to handle in a sustained f

Re:

[SvnLyrBrto]

> Despite all the high tech weapons and whatnot, any
> kind of sustained operation still relies on boots on
> the ground. And I think you'd be surprised at how
> quickly the desertion rate would approach 100% if
> something like that came to pass -- the brainwashing
> of rank and file grunts is not *that* .. effective

I believe the student body of Kent State might have a differing experience on that score.

Re:

[amiga3D]

They had rocks against M-16s. That's not a good idea.

Re:

[DontBeAMoran]

Yeah, the fools should have used paper.

Re:

[pi_rules]

The reserves had M1 Garands, not M-16s.

Re:

[amiga3D]

That's actually worse. Better a 5.56 than that big round the M1 fires.

Re:

[amiga3D]

Asking troops to slaughter US civilians might get a little dicey. Even SWAT teams might start to balk. It's one thing to go after a bank robber holding hostages. To kill women and kids you need someone like the BATF.

Re:

[gtall]

Unless he starts a nuclear war. Care to place any bets on his ability to handle a crisis beyond a bimbo explosion?

Re:

[mark-t]

I used the term "regime" because the fault does not lay on any single person. "administration" would have been an equally applicable term.

Re:

[thegarbz]

There's irony in a statement that complains about national security including economic interests when discussing a country that spends quite so much on its military.

Given how economics are the deciding factors in many wars you may want to reword your statement.

Re:

[mark-t]

Perhaps you didn't catch that I said it was of economic interest to only one particular (commercial, not government) industry.

Re:

[mschuyler]

I don't think that word means what you think it means.

Re:

[ArchieBunker]

Maybe you should read a fucking dictionary.

Re:

[DontBeAMoran]

Grey's mother was a hamster and Key's father smelt of elderberries!

Hardware or software?

[bradley13]

Someone suggested that this is a brute-force attack (and TFA even hints at that). I don't buy that, because a brute-force attack involving opening up the phone would be nothing really new. I expect they are exploiting a vulnerability.

So sure, Apple immediately spent $30k for a license, so that they can analyze it. The fascinating question will be: Does the exploit rely on a hardware flaw or a software flaw? If the latter, it will quickly be patched. If this is ultimately relying on some weakness in the hard

Re:

[DontBeAMoran]

Is the iPhone X really number 10, though? Because there's no iPhone 9 right now.

I'm thinking this is like they went from Mac OS 9 to Mac OS X, the iPhone X represents a new line of iPhones.

In any case, I'm waiting for the iPhone XXX. They'll have to allow VR porn and 3D hentai apps on it!

Re:

[TrekkieGod]

Someone suggested that this is a brute-force attack (and TFA even hints at that). I don't buy that, because a brute-force attack involving opening up the phone would be nothing really new. I expect they are exploiting a vulnerability.

Apple does the maximum number of wrong attempts before deleting the contents of the phone thing. So I'm pretty sure the vulnerability is being able to stop that from happening (and likely adding the code to do to the brute forcing). The brute force code is to unlock. By default, iOS has a 4-digit pin to unlock. That's really easy to brute-force in no time at all if you can the software input the numbers and get around the maximum number of retries thing, so no reason to even try something other than brute-

Re:

[bartle]

In order for John Irving to unlock her iPhone, he enters a 6 digit PIN. Maybe Lorian Bartle uses an alphanumeric password. John and Lorian did not choose strong passwords, knowing they have to enter it every time they boot up the phone, so either phone is easily crack-able by coping the encrypted contents of their phones onto a powerful computer and brute forcing every possible password.

Apple prevents this by generating a random element that, combined with John or Lorian's passcode, makes up the encryption

Re:

[account_deleted]

Comment removed based on user account deletion

GrayKey is not Deep Throat

[Annie Ominus]

disgruntled apple cyber security employee maybe, stole a gen key before retirement? Anyone related to Felt work there lately?

Spectre or meltdown

[xluap]

This might exploit some spectre or meltdown like vulnerability to get the encryption keys that are located in an until now safe part of the processor chip.

It's either secure for everyone

[Darkling-MHCN]

....or it's secure for no one.

This cheap? *lol*

[xxxLCxxx]

This cheap? *lol*
...and Apple believers will still assert that their phones are safe. When it comes to dumbing down people, religion is certainly the most effective.

Re: Should be $30M for unlimited

[Brockmire]

Only terrorists and gunmen have Apple phones.